sb56637
October 21, 2018, 5:10pm
16
"Security" of a website is an extremely nebulous and general term, with countless factors coming into play:
https://budgetlightforum.com/t/-/52457/15
sb56637:
1. The risk of malware on your device that logs your personal data and “phones home” to the attacker. This is by far the most common attack.
SSL (https://) does NOT protect against this risk.
As the administrator of BLF, I can’t do anything to protect users from this risk.
2. The risk of somebody tricking you into revealing your password(s) and/or financial information by pretending to be somebody else. This is also a common attack vector.
SSL (https://) does NOT protect against this risk.
As the administrator of BLF, I can’t do anything to protect users from this risk.
3. The risk of somebody hacking into the web server and installing something malicious that infects visitors. This is also relatively common.
SSL (https://) does NOT protect against this risk.
As the administrator of BLF, it is entirely my responsibility to protect my users against this sort of attack, and I take it very
4. The risk of somebody hijacking the webpage data while it’s in transit “on the wire” between the web server and the visitor and modifying and/or stealing the data. This is not common.
This is what SSL (https://) is designed to protect against.
https://budgetlightforum.com/t/-/52457/15
sb56637:
A frequently overlooked downside of implementing SSL is that it requires significantly more server resources to encrypt and decrypt all the traffic. The BLF server is already under rather heavy load most of the time, and SSL would surely push it over the edge, requiring another server upgrade or even a migration to a different host.
https://budgetlightforum.com/t/-/52457/22
ToyKeeper:
This would create a whole lot of warnings and/or break a lot of image links. Like, I’d probably have to add https to my site (finally) and edit every post I’ve ever made with images. Which isn’t really all that much of a problem for me personally, but in a site-wide sense it would be pretty disruptive.
The server-passthrough workaround could reduce disruption, but it’s even more complication and more server load for sb to deal with. And some of the sites I’ve seen with that method end up breaking half the time anyway.
This is blatant misinformation and pure FUD. Here's the most recent Drupal 7 security patch from October 17 (4 days ago), which I applied on that very same day within hours of its release, as I have for every single other security update released during the past 8+ years of administering BLF:
https://www.drupal.org/psa-2018-10-17
Drupal 7 is fully supported still, with both security and feature / bug fixes.
In short, @79ford, if you feel insecure by using BLF despite all the above facts, or if you insist on spreading false information, I suggest you stop using it.